Defending ITV from Cyber Attacks
This is the first in a series of two blogs exploring how we are using the Cyber Defence Matrix, an open-source community project by OWASP, to map our cyber security landscape. In this first blog we will introduce the matrix and note how we have used it to tell a story. In our second blog we will outline our unique implementation of the matrix as a part of this open source community project.
What is cyber security?
‘Cyber security’ means different things to different people. Some people think of it as ‘cyber crime’, ‘hacking’, ‘computer security’ but these are all smaller components of a bigger picture. At its core, cyber security is ensuring the confidentiality, integrity and availability of our assets. An organisation’s assets could be its data, devices, network, applications and/or users.
My role as a Cyber Security Analyst for ITV is a varied, challenging and rewarding one. Our team at ITV is agile and dynamic, we work in sets of analysts, managers and specialists, covering all areas of the business. As well as my work in enterprise security, I specialise in ITV Studios, News and International cyber security advisory.
When assessing our assets we may find a risk, for example ‘lack of anti-virus’, it is then our job to map that risk against a control (a piece of advice) for the business. Our cyber controls can usually be implemented in the form of people, processes and/or technology. For example, ‘install anti-virus’, is a technology control but has to be implemented by people and kept running using business processes.
If we wrote down a long list of our risks and controls, it would be very hard to keep track of what the ‘ideal’ is as every business is different. So instead, most organisations will follow a standard or framework, such as the NIST Cyber Security Framework.
The NIST, National Institute of Standards and Technology, recognised the need to standardise an approach to deal with cyber threats to an organisation. In an ideal world organisations would not suffer cyber attacks, but we need to prepare for if one happens. The NIST framework divides the approach into 5 stages:
Pre-incident:
- IDENTIFY your assets
- PROTECT your assets
Post-incident:
- DETECT malicious activity towards your assets
- RESPOND to malicious activity
- RECOVER your assets to their working state.
The NIST framework comes into context when we outline the Cyber Defence Matrix later in this article, but first I will explain how I came to find out about the matrix.
Discovering the Cyber Defence Matrix
On the 23rd February 2020, on a crisp and sunny day in San Francisco, I travelled to the Moscone Centre to take part in the week-long RSA conference. RSA is one of the world’s largest annual cyber security conferences, it attracts over 42,000 attendees and hosts hundreds of stages, talks, seminars and exhibitors. It is the ‘mecca’ for cyber security geeks who network and watch as security legends take the stage.
On day 4, a friend of mine asked if I’d like to join her at the Cyber Defence Matrix workshop run by the OWASP Foundation. The two hour workshop was interactive where we worked in groups to map out security controls to the matrix. Each group had a whiteboard, pens, markers, sticky notes and different exercises to do. The session taught us about the matrix and how we could work together as a team to determine the best utilisation of the matrix itself. Overall the workshop was great and each team had different opinions on how the matrix should be used. We learned that the matrix is subjective but can be powerful if the whole team contributes equally to filling it in. I took the resources back to my teammates and we discussed how we could utilise it for ITV.
What is a Cyber Defence Matrix?
The Cyber Defence Matrix (CDM) is an open-source community based project hosted by OWASP. In its simplest form, it is a table with the NIST cyber security framework along the X axis, and your Assets along the Y axis. See Figure 3. for the blank matrix created by OWASP. Along the bottom you can see that as you progress from the leftmost column (Identify) to the rightmost column (Recover) the degree of dependency skews from Technology to People. We may invest heavily in technology solutions to identify and protect our assets, whereas people are needed at the recovery stage.
The primary case study for using the CDM is to map out technology vendor solutions. This means you can see if there is a part of the matrix you have not covered, you can see how risk averse your organisation is, or you could use it to calculate budgets.
In Sounil Yu’s presentation at RSA 2019, he shows an example of how the security market segments can be presented within the matrix. For example, when we PROTECT our DATA we can use ‘Encryption’.
Yu also highlighted some key points:
- Placing vendors in the matrix is subjective;
- To cover your whole organisation you may need to break it down with multiple matrices;
- Dividing vendor solutions by module will give you a better ability to budget.
Overall, I could see the potential and couldn’t wait to discuss it with the ITV cyber team.
How we’ve implemented our own matrix
Firstly we should ask, what is the point? OWASP says we can use the CDM to see if any technologies overlap, use it for budgeting and/or for assessing the overall risk appetite of the company. We considered this would be useful, but most importantly to us was that we could use it to tell a story.
We started by mapping our vendor technologies and presented this back to our technology teams. Each team owns a different set of technologies which contribute to the overall security of ITV, so it was really important to involve the teams with the matrix to get their suggestions and improvements.
When analysing the matrix, we considered the below diagrams taken from Yu’s RSA 2019 presentation, which show the risk averse and risk taking postures in relation to the amount of controls you have in each stage of NIST. In Figure 5, where Red=Technology, Blue=People, Green=Process, you can see that a risk averse organisation invests more in the ‘Protect’ stage of the NIST Framework. Whereas a risk taking organisation invests less in ‘Protect’ and more in ‘Detect’.
Our first attempt at filling in the matrix was a great insight, but we asked ourselves, how can we take it to the next level?
We’re constantly improving
As a living document, mapping of technology vendors was only the beginning, we needed it to evolve and expand. Working with one of our key security partners we have thought of a few improvements. Our first improvement is to re-order the assets down the Y axis to tell a story. Instead of an arbitrary Devices, Applications, Networks, Data and Users, we can tell the story in a downwards flow:
- USERS use
- DEVICES which connect to
- NETWORKS which host
- APPLICATIONS which have access to
- DATA
Having security for one group of assets implies security of another. For example, by securing the DEVICES you are further securing the NETWORKS the device connects to. In the future, as controls shift towards a cloud-first model, the way in which these are deployed may be very different to the way they are currently. The matrix gives us the flexibility to quickly update and reflect how these shifts impact our control environment.
Another observation is that by flowing down from users to data, this mimics the attack path outlined in the Cyber Kill Chain by Lockheed Martin as seen in Figure 6. With the
- Reconnaissance, Weaponisation, Delivery and Exploitation stages being acted upon ‘Users’ and ‘Devices’;
- Installation and Command & Control relating more to ‘Networks’ and ‘Applications’; followed by
- Actions on Objectives usually related to exfiltrating or denying access to ‘Data’.
Telling a story to our teams is really valuable, however we wanted to take the matrix to the next level. Look out for part two of the blog series, where we will outline further improvements to our unique implementation of the matrix.
